CVE-2026-34717

CVSS v3.1

9.9

Critical

AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H

OpenProject is an open-source, web-based project management software. Prior to version 17.2.3, the =n operator in modules/reporting/lib/report/operator.rb:177 embeds user input directly into SQL WHERE clauses without parameterization. This issue has been patched in version 17.2.3.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2026-34717

Affected Products

Openproject

CVE-2026-34717

Weakness Enumeration

Related Identifiers

Affected Products

References · 3